Bug 150220 - REGRESSION (r190289): Repro crash clicking back button on netflix.com
Summary: REGRESSION (r190289): Repro crash clicking back button on netflix.com
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-15 20:42 PDT by Michael Saboff
Modified: 2015-10-16 09:33 PDT (History)
2 users (show)

See Also:

Attachments
Patch (11.90 KB, patch)
2015-10-15 21:43 PDT, Michael Saboff 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2015-10-15 20:42:25 PDT 
1. login to netflix.com
2. start playing a video
3. click back button

--- CRASH ---
Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       EXC_I386_GPFLT
Exception Note:        EXC_CORPSE_NOTIFY

Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
1   com.apple.JavaScriptCore      	0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447
2   com.apple.JavaScriptCore      	0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
3   com.apple.JavaScriptCore      	0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586
4   ???                           	0x00005fb9baa01028 0 + 105251304640552
5   ???                           	0x00005fb9bab0d066 0 + 105251305738342
6   ???                           	0x00005fb9bad5aef7 0 + 105251308154615
7   ???                           	0x00005fb9bad6aa00 0 + 105251308218880
8   ???                           	0x00005fb9bab4b425 0 + 105251305993253
9   com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
10  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
11  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
12  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
13  ???                           	0x00005fb9baa9b626 0 + 105251305272870
14  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
15  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
16  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
17  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
18  ???                           	0x00005fb9baa9b646 0 + 105251305272902
19  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
20  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
21  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
22  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
23  ???                           	0x00005fb9baa9b646 0 + 105251305272902
24  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
25  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
26  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
27  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
28  ???                           	0x00005fb9baa9b646 0 + 105251305272902
29  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
30  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
31  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
32  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
33  ???                           	0x00005fb9baa9b646 0 + 105251305272902
34  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
35  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
36  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
37  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
38  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
39  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
40  ???                           	0x00005fb9baa9b626 0 + 105251305272870
41  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
42  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
43  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
44  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
45  ???                           	0x00005fb9baa9b646 0 + 105251305272902
46  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
47  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
48  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
49  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
50  ???                           	0x00005fb9baa9b646 0 + 105251305272902
51  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
52  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
53  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
54  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
55  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
56  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
57  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
58  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
59  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
60  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
61  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
62  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
63  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
64  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
65  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
66  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
67  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
68  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
69  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
70  com.apple.JavaScriptCore      	0x000000010719ab94 vmEntryToJavaScript + 299
71  com.apple.JavaScriptCore      	0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
72  com.apple.JavaScriptCore      	0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447
73  com.apple.JavaScriptCore      	0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
74  com.apple.JavaScriptCore      	0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586
75  ???                           	0x00005fb9baa01028 0 + 105251304640552
76  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
77  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
78  com.apple.JavaScriptCore      	0x00000001071a0767 llint_entry + 23024
79  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
80  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
81  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
82  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
83  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
84  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
85  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
86  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
87  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
88  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
89  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
90  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
91  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
92  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
93  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
94  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
95  com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
96  com.apple.JavaScriptCore      	0x000000010719ab94 vmEntryToJavaScript + 299
97  com.apple.JavaScriptCore      	0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
98  com.apple.JavaScriptCore      	0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447
99  com.apple.JavaScriptCore      	0x0000000106c38b0e JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 62
100 com.apple.JavaScriptCore      	0x0000000106d5503a JSC::boundFunctionCall(JSC::ExecState*) + 586
101 ???                           	0x00005fb9baa01028 0 + 105251304640552
102 com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
103 com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
104 ???                           	0x00005fb9bae03119 0 + 105251308843289
105 com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
106 com.apple.JavaScriptCore      	0x00000001071a07d9 llint_entry + 23138
107 com.apple.JavaScriptCore      	0x000000010719ab94 vmEntryToJavaScript + 299
108 com.apple.JavaScriptCore      	0x00000001070c281e JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 158
109 com.apple.JavaScriptCore      	0x0000000106c38cdf JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 447
110 com.apple.JavaScriptCore      	0x0000000106de71b7 JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) + 71
111 com.apple.WebCore             	0x0000000107627934 WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext*, WebCore::Event*) + 996
112 com.apple.WebCore             	0x0000000107a73a5b WebCore::EventTarget::fireEventListeners(WebCore::Event*, WebCore::EventTargetData*, WTF::Vector<WebCore::RegisteredEventListener, 1ul, WTF::CrashOnOverflow, 16ul>&) + 635
113 com.apple.WebCore             	0x0000000107538e20 WebCore::EventTarget::fireEventListeners(WebCore::Event*) + 224
114 com.apple.WebCore             	0x000000010758f164 WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event>, WTF::PassRefPtr<WebCore::EventTarget>) + 260
115 com.apple.WebCore             	0x00000001075a0f26 WebCore::Document::enqueuePopstateEvent(WTF::PassRefPtr<WebCore::SerializedScriptValue>) + 134
116 com.apple.WebCore             	0x0000000107702fd0 WebCore::Document::statePopped(WTF::PassRefPtr<WebCore::SerializedScriptValue>) + 48
117 com.apple.WebCore             	0x0000000107ae78eb WebCore::FrameLoader::loadInSameDocument(WebCore::URL const&, WTF::PassRefPtr<WebCore::SerializedScriptValue>, bool) + 619
118 com.apple.WebCore             	0x0000000107aed05a WebCore::FrameLoader::loadSameDocumentItem(WebCore::HistoryItem&) + 122
119 com.apple.WebCore             	0x0000000107b409b6 WebCore::HistoryController::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 198
120 com.apple.WebCore             	0x00000001080ecd71 WebCore::Page::goToItem(WebCore::HistoryItem&, WebCore::FrameLoadType) + 81
121 com.apple.WebCore             	0x00000001080ce5f1 WebCore::ScheduledHistoryNavigation::fire(WebCore::Frame&) + 65
122 com.apple.WebCore             	0x00000001080cbdc6 WebCore::NavigationScheduler::timerFired() + 102
123 com.apple.WebCore             	0x000000010751a2af WebCore::ThreadTimers::sharedTimerFiredInternal() + 175
124 com.apple.WebCore             	0x000000010751a1c8 WebCore::timerFired(__CFRunLoopTimer*, void*) + 24
125 com.apple.CoreFoundation      	0x00007fff93849514 __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ + 20
126 com.apple.CoreFoundation      	0x00007fff938491a3 __CFRunLoopDoTimer + 1075
127 com.apple.CoreFoundation      	0x00007fff93848cfa __CFRunLoopDoTimers + 298
128 com.apple.CoreFoundation      	0x00007fff93840281 __CFRunLoopRun + 1841
129 com.apple.CoreFoundation      	0x00007fff9383f8e8 CFRunLoopRunSpecific + 296
130 com.apple.HIToolbox           	0x00007fff9589cff1 RunCurrentEventLoopInMode + 235
131 com.apple.HIToolbox           	0x00007fff9589ce2b ReceiveNextEventCommon + 432
132 com.apple.HIToolbox           	0x00007fff9589cc6b _BlockUntilNextEventMatchingListInModeWithFilter + 71
133 com.apple.AppKit              	0x00007fff9227f870 _DPSNextEvent + 1067
134 com.apple.AppKit              	0x00007fff9227ec9d -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] + 454
135 com.apple.AppKit              	0x00007fff9227375a -[NSApplication run] + 682
136 com.apple.AppKit              	0x00007fff9223cbae NSApplicationMain + 1176
137 libxpc.dylib                  	0x00007fff911693a6 _xpc_objc_main + 793
138 libxpc.dylib                  	0x00007fff91167dd3 xpc_main + 494
139 com.apple.WebKit.WebContent.Development	0x000000010200241c 0x102001000 + 5148
140 libdyld.dylib                 	0x00007fff9be894ed start + 1

This bug also seems to be responsible for other web sites failing, including navigating around Facebook.

rdar://problem/22951399
Comment 1 Michael Saboff 2015-10-15 21:43:58 PDT 
Created attachment 263247 [details]
Patch
Comment 2 Geoffrey Garen 2015-10-16 01:11:59 PDT 
Comment on attachment 263247 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=263247&action=review

> LayoutTests/js/script-tests/regress-150220.js:3
> +// This test verifies that a tail call from a constructor is treated as a normal call.

It's more accurate to say that we're verifying that a tail call from a constructor doesn't crash. The whole "treated as a" thing is a fraught topic, given our discussion of what the spec says vs what its observable effects are.
Comment 3 Michael Saboff 2015-10-16 07:28:56 PDT 
(In reply to comment #2)
> Comment on attachment 263247 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=263247&action=review
> 
> > LayoutTests/js/script-tests/regress-150220.js:3
> > +// This test verifies that a tail call from a constructor is treated as a normal call.
> 
> It's more accurate to say that we're verifying that a tail call from a
> constructor doesn't crash. The whole "treated as a" thing is a fraught
> topic, given our discussion of what the spec says vs what its observable
> effects are.

I changed the comment to say:
// This test verifies that a tail call from a constructor doesn't crash and works correctly.
Comment 4 Michael Saboff 2015-10-16 07:43:36 PDT 
Committed r191175: <http://trac.webkit.org/changeset/191175>
Comment 5 Csaba Osztrogonác 2015-10-16 09:23:41 PDT 
(In reply to comment #4)
> Committed r191175: <http://trac.webkit.org/changeset/191175>

It broke JSC stress testing everywhere:

Tools/Scripts/run-jsc-stress-tests:1314:in `eval': No such file or directory - /Volumes/Data/slave/yosemite-debug-tests-jsc/build/LayoutTests/js/regress-150220-expected.txt (Errno::ENOENT)
	from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1552:in `block in fu_each_src_dest'
	from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1568:in `fu_each_src_dest0'
	from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:1550:in `fu_each_src_dest'
	from /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/fileutils.rb:393:in `cp'
	from Tools/Scripts/run-jsc-stress-tests:1053:in `block (2 levels) in prepareExtraRelativeFiles'
	from Tools/Scripts/run-jsc-stress-tests:1051:in `each'
	from Tools/Scripts/run-jsc-stress-tests:1051:in `block in prepareExtraRelativeFiles'
	from Tools/Scripts/run-jsc-stress-tests:1050:in `chdir'
	from Tools/Scripts/run-jsc-stress-tests:1050:in `prepareExtraRelativeFiles'
	from Tools/Scripts/run-jsc-stress-tests:968:in `runLayoutTest'
	from Tools/Scripts/run-jsc-stress-tests:979:in `runLayoutTestDefault'
	from Tools/Scripts/run-jsc-stress-tests:1028:in `defaultRunLayoutTest'
	from (eval):1:in `block (4 levels) in handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1314:in `eval'
	from Tools/Scripts/run-jsc-stress-tests:1314:in `block (4 levels) in handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1307:in `each'
	from Tools/Scripts/run-jsc-stress-tests:1307:in `block (3 levels) in handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1305:in `each'
	from Tools/Scripts/run-jsc-stress-tests:1305:in `block (2 levels) in handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1293:in `chdir'
	from Tools/Scripts/run-jsc-stress-tests:1293:in `block in handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1259:in `each'
	from Tools/Scripts/run-jsc-stress-tests:1259:in `handleCollectionFile'
	from Tools/Scripts/run-jsc-stress-tests:1350:in `handleCollection'
	from Tools/Scripts/run-jsc-stress-tests:1435:in `block in prepareBundle'
	from Tools/Scripts/run-jsc-stress-tests:1433:in `each'
	from Tools/Scripts/run-jsc-stress-tests:1433:in `prepareBundle'
	from Tools/Scripts/run-jsc-stress-tests:1797:in `runNormal'
	from Tools/Scripts/run-jsc-stress-tests:1830:in `<main>'
Comment 6 Csaba Osztrogonác 2015-10-16 09:24:33 PDT 
js/regress-150220-expected.tx: Added. --> It should be txt not tx.
Comment 7 Csaba Osztrogonác 2015-10-16 09:27:20 PDT 
(In reply to comment #6)
> js/regress-150220-expected.tx: Added. --> It should be txt not tx.
and it is completely missing ...
Comment 8 Csaba Osztrogonác 2015-10-16 09:32:05 PDT 
Fixed in http://trac.webkit.org/changeset/191179
Comment 9 Michael Saboff 2015-10-16 09:33:14 PDT 
(In reply to comment #8)
> Fixed in http://trac.webkit.org/changeset/191179

You beat me to it.  I was in the process of checking it in as well.